Monday May 19, 2008

Working Around a Simple Directory Server Install Issue with Windows

While working with a customer evaluating Sun's Directory Server Enterprise Edition 6.3 for Windows, we came across a problem during very basic install and setup.  For posterity's sake, I thought it might make sense to document the issue and offer a few potential workarounds. 

How to replicate

1. Install the directory server.  In this case the downloadable image has been unzipped into the c:\\tmp\\dsee63\\DSEE_ZIP_DISTRIBUTION directory

  C:\\tmp\\dsee63\\DSEE_ZIP_Distribution> dsee_deploy --no-inter -i /tmp/ds63                                                                              
Unzipping sun-ldap-shared-l10n.zip ...
Unzipping sun-ldap-directory.zip ...
Unzipping sun-ldap-console-gui-help-l10n.zip ...
Configuring Cacao at /tmp/ds63/dsee6/cacao_2
...
You can now start your Directory Server Instances
You can now start your Directory Proxy Server Instances

2. Create a new Directory Server instance and start the instance

  C:\\tmp\\dsee63\\DSEE_ZIP_Distribution>cd \\tmp\\ds63
C:\\tmp\\ds63> set PATH=c:\\tmp\\ds63\\ds6\\bin;c:\\tmp\\ds63\\dsrk6\\bin;%PATH%
C:\\tmp\\ds63>dsadm create /tmp/instance
Choose the Directory Manager password:
Confirm the Directory Manager password:
Use 'dsadm start '/tmp/instance'' to start the instance
C:\\tmp\\ds63>dsadm start /tmp/instance
Waiting for Directory Server instance 'C:/tmp/instance' to start...
Directory Server instance 'C:/tmp/instance' started: pid=2144

3. Create a suffix.  This is where the installation fails:

C:\\tmp\\ds63>dsconf create-suffix -h localhost -p 1389 dc=example,dc=com
Enter "cn=Directory Manager" password:
Unable to bind securely on "localhost:1389".
The "create-suffix" operation failed on "localhost:1389".

The problem here is described in The Sun Java System Directory Server Enterprise Edition 6.3 Release Notes:

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

 

Two Potential Workarounds

Workaround 1: Issue the 'dsconf create-suffix' command by directly connecting to the SSL port (-P 1636)

C:\\tmp\\ds63>dsconf create-suffix -h localhost -P 1636 dc=example,dc=com
Certificate "CN=TECRA-A1, CN=1636, CN=Directory Server, O=Sun Microsystems" pres
ented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details
: Y
Enter "cn=Directory Manager" password:

Workaround 2: Modify the ds-start-tls-enabled attribute that is stored in the directory server configuration.

a. Create a file, say c:\\tmp\\modify.ldif which looks like:

  dn: cn=config
  changetype: modify
  replace: ds-start-tls-enabled
  ds-start-tls-enabled: on

b. Issue an ldapmodify command something like this:

  C:\\tmp>ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password < c:\\tmp\\modify.ldif
modifying entry cn=config

c. Confirm modification via ldapsearch command:

  C:\\tmp>ldapsearch -b "cn=config" -h localhost -p 1389 -D "cn=Directory Manager" -w password "cn=config" ds-start-tls-enabled
version: 1
dn: cn=config
ds-start-tls-enabled: on

dn: cn=config,cn=chaining database,cn=plugins,cn=config

dn: cn=config,cn=ldbm database,cn=plugins,cn=config

c. Stop and restart the directory server instance

  C:\\tmp\\ds63>dsadm stop /tmp/instance
Directory Server instance 'C:/tmp/instance' stopped

C:\\tmp\\ds63>dsadm start /tmp/instance
Directory Server instance 'C:/tmp/instance' started: pid=3560

d. Try creating a suffix with the standard port (1389):

  C:\\tmp\\ds63>dsconf create-suffix -h localhost -p 1389 dc=example1,dc=com
Enter "cn=Directory Manager" password:

Note:  Directory Server Enterprise Edition 6.3 is supported on Windows Server 2003, but not for Windows XP.  Although not formally supported, it is possible to experiment with XP.

About

Jim Connors

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today